<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
  <head>
    <title>Lecture 3: Privilege Separation</title>
    <meta name="generator" content="Muse">
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    
    <link rel="stylesheet" type="text/css"charset="utf-8" media="all" href="../styles/common.css"  />

    <script src="../scripts/jsMath/easy/load.js"></script>
  </head>

  <body>

    <h1>Lecture 3: Privilege Separation
      <!-- menu start here -->
      <div class="menu">
        <div class="menuitem">
          <a href="../home/index.html">Home</a>
        </div>
        <div class="menuitem">
          <a href="../courses/index.html">Courses</a>
        </div>
        <div class="menuitem">
          <a href="../projects/index.html">Projects</a>
        </div>
        <div class="menuitem">
          <a href="../complang/index.html">CompLang</a>
        </div>
        <div class="menuitem">
          <a href="../code/index.html">CodeReading</a>
        </div>
        <div class="menuitem">
          <a href="../software/index.html">Software</a>
        </div>
        <div class="menuitem">
          <a href="../lectures/index.html">Lectures</a>
        </div>
      </div>
      <!-- menu ends here -->

    </h1>


    <!-- Page published by Emacs Muse begins here -->

<h2>Background: web service architecture with apache</h2>

<ul>
<li>clients -&gt; apache -&gt; application code -&gt; database</li>
<li>apache, app code runs as the &quot;www&quot; user

<ul>
<li>app code: fetch/change user profile, send message, find friends</li>
</ul></li>
<li>database often runs as a separate user (maybe on another machine)</li>
<li>however, SQL interface to the DB allows app to access all the data</li>
</ul>


<h2>OKWS design</h2>

<ul>
<li>how does okws achieve this partitioning?

<ul>
<li>separate uid + process for each service</li>
<li>main server code also partitioned into functions</li>
<li>chroot to prevent processes from accessing extra files</li>
<li>RPC between processes</li>
<li>db proxy limits data access interface</li>
</ul></li>

<li>how does a request get processed in this model?

<ul>
<li>accepted by okd</li>
<li>okd reads the first line of req, figures out which service to use</li>
<li>okd logs request, sends file descriptor to that service</li>
<li>service reads rest of HTTP request, uses dbproxy to process</li>
<li>service may need HTML templates &mdash; fetch from pubd and cache</li>
<li>service logs request, sends response back to user</li>
</ul></li>
</ul>


<h2>Does okws achieve its goal?</h2>

<blockquote>
<p class="quoted">what are the components we should consider?
[client] okld okd pubd oklogd service dbproxy [database]</p>
</blockquote>

<ul>
<li>what's the effect of each component being compromised?

<ul>
<li>okld: root!  everything on that machine.</li>
<li>okd: can intercept/modify all user HTTP reqs/responses, steal passwds</li>
<li>pubd: can corrupt templates, maybe leverage to exploit bug in svc?</li>
<li>oklogd: corrupt/ignore/remove/falsify log entries</li>
<li>service: send garbage to user, access data for svc (what dbproxy allows)</li>
<li>dbproxy: access/change all user data in the database it's talking to

<ul>
<li>likely one database and many dbproxy processes</li>
<li>possible to have multiple databases altogether</li>
</ul></li>
</ul></li>

<li>how would you compromise this system?

<ul>
<li>exploit buffer overflow or the like in C++ code</li>
<li>okd can be used to steal user credentials</li>
<li>service can be used to steal all data available to svc</li>
<li>maybe try to find a SQL injection attack in some dbproxy</li>
</ul></li>
</ul>



<!-- Page published by Emacs Muse ends here -->
<hl />
<p />
<!-- <center> -->
<!--   Updated at  -->
<!--   2010-02-27 -->
<!-- </center> -->

<script type="text/javascript">
  var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
  document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
  try {
  var pageTracker = _gat._getTracker("UA-2241833-12");
  pageTracker._trackPageview();
  } catch(err) {}</script>

</body>
</html>

